Cert fixes and start of docker testing

.github/workflows/build-and-test-docker.yml

@@ -0,0 +1,18 @@
+name: Docker Image CI
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file docker/fedservice.Dockerfile --tag fedservice:$(date +%s)

.github/workflows/python-app.yml

@@ -18,9 +18,12 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-          - '3.7'
           - '3.8'
           - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+          - '3.13-dev'
 
     steps:
     - uses: actions/checkout@v2

dc4eu_federation/bootstrap-dockers.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -eo pipefail
+DOMAIN="${DOMAIN:-$(hostname -f)}"
+TRUST_ANCHOR="https://${DOMAIN}:7001"
+TRUST_MARK_ISSUER="https://${DOMAIN}:6001"
+WALLET_PROVIDER="https://${DOMAIN}:5001"
+
+# Get Trust Anchor
+#
+docker_args="run --rm -i -v .:/workdir --entrypoint python3 docker.sunet.se/fedservice:latest fedservice/dc4eu_federation"
+docker $docker_args/get_info.py -k -t $TRUST_ANCHOR > trust_anchor.json
+
+# Add Anchor to Trust Mark Issuer
+docker ${docker_args}/add_info.py -s /workdir/trust_anchor.json -t /workdir/trust_mark_issuer/trust_anchors
+rm -r trust_mark_issuer/authority_hints
+echo -e "${TRUST_ANCHOR}" >> trust_mark_issuer/authority_hints
+
+#./entity.py trust_mark_issuer &
+#sleep 2
+#
+docker ${docker_args}/get_info.py -k -s "${TRUST_MARK_ISSUER}" > trust_mark_issuer.json
+docker ${docker_args}/add_info.py -s /workdir/trust_mark_issuer.json -t workdir/trust_anchor/subordinates 
+
+#FIXME: Special stuff here to get the paths right
+docker run --rm -i -v .:/workdir -v ./trust_mark_issuer:/trust_mark_issuer --entrypoint python3 docker.sunet.se/fedservice:latest fedservice/dc4eu_federation/issuer.py /trust_mark_issuer > trust_mark_issuers.json
+docker ${docker_args}/add_info.py -s workdir/trust_mark_issuers.json -t workdir/trust_anchor/trust_mark_issuers
+#
+## Wallet Provider
+docker ${docker_args}/add_info.py -s workdir/trust_anchor.json -t workdir/wallet_provider/trust_anchors
+rm -r wallet_provider/authority_hints
+echo -e "${TRUST_ANCHOR}" >> wallet_provider/authority_hints
+#
+#./entity.py wallet_provider &
+#sleep 2
+#
+docker ${docker_args}/get_info.py -k -s ${WALLET_PROVIDER} > wallet_provider.json
+docker ${docker_args}/add_info.py -s /workdir/wallet_provider.json -t workdir/trust_anchor/subordinates
+if [ ! -d flask_wallet/trust_anchors ]; then
+    mkdir flask_wallet/trust_anchors
+fi
+cp -a wallet_provider/trust_anchors/* flask_wallet/trust_anchors/
+echo "Place this into oidc_frontend.yaml. Add below:" 
+echo "config:             "
+echo "  op:               " 
+echo "    server_info:    "
+echo "      trust_anchors:"
+docker ${docker_args}/convert_json_to_yaml.py workdir/trust_anchor.json
+
+echo "Also add authority_hints:"
+echo "    - ${TRUST_ANCHOR} "
+
+echo "Also add trust_marks:"
+echo "    <TRUST_MARKS>"
+docker run --rm -ti -v .:/workdir --entrypoint bash docker.sunet.se/fedservice:latest -c "cd workdir;/fedservice/dc4eu_federation/create_trust_mark.py -m http://dc4eu.example.com/PersonIdentificationData/se -d trust_mark_issuer -e $1"
+cat << EOF 
+On Satosa, copy /etc/satosa/public/pid_fed_keys.json and add to
+{
+  "$1": {
+    "entity_types": [
+      "federation_entity",
+      "openid_credential_issuer",
+      "oauth_authorization_server"
+    ],
+    "jwks": {
+EOF
+
+echo "docker ${docker_args}/add_info.py -s /workdir/ci.json -t workdir/trust_anchor/subordinates"
+## Query Server
+#./add_info.py -s trust_anchor.json -t query_server/trust_anchors
+#rm -r query_server/authority_hints
+#echo -e "https://127.0.0.1:7003" >> query_server/authority_hints
+#
+#./entity.py query_server &
+#sleep 2
+#
+#./get_info.py -k -s https://127.0.0.1:6005 > tmp.json
+#./add_info.py -s tmp.json -t trust_anchor/subordinates
+
+## PID Issuer
+#./add_info.py -s trust_anchor.json -t pid_issuer/trust_anchors
+#rm -r pid_issuer/authority_hints
+#echo -e "https://127.0.0.1:7003" >> pid_issuer/authority_hints
+#
+#./entity.py pid_issuer &
+#sleep 2
+#
+#./get_info.py -k -s https://127.0.0.1:6001 > tmp.json
+#./add_info.py -s tmp.json -t trust_anchor/subordinates

dc4eu_federation/convert_json_to_yaml.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+import json
+import sys
+
+import yaml
+
+fp = open(sys.argv[1], "r")
+_dict = json.load(fp)
+print(yaml.dump(_dict))

dc4eu_federation/entity.py

@@ -44,14 +44,12 @@ def init_app(dir_name, **kwargs) -> Flask:
 if __name__ == "__main__":
     print(sys.argv)
     directory_name = sys.argv[1]
-    template_dir = os.path.join(directory_name, 'templates')
-    app = init_app(directory_name, template_folder=template_dir)
+    app = init_app(directory_name)
     if "logging" in app.cnf:
         configure_logging(config=app.cnf["logging"])
     _web_conf = app.cnf["webserver"]
     if os.environ.get('FEDSERVICE_WEBCERT_KEY'):
         _web_conf['server_key'] = os.environ.get('FEDSERVICE_WEBCERT_KEY')
-        _web_conf['server_chain'] = os.environ.get('FEDSERVICE_WEBCERT_CHAIN')
         _web_conf['server_cert'] = os.environ.get('FEDSERVICE_WEBCERT_CERT')
     context = create_context(dir_path, _web_conf)
     _cert = "{}/{}".format(dir_path, lower_or_upper(_web_conf, "server_cert"))

docker/build.sh

@@ -1,2 +1,17 @@
 #!/bin/bash
+set -eo pipefail
+git clone --no-checkout --depth 1 --sparse --filter=blob:none https://github.com/rohe/satosa-openid4vci
+pushd satosa-openid4vci
+git sparse-checkout init --cone
+git sparse-checkout add example/flask_wallet/
+git checkout main
+cp -a example/flask_wallet ../../dc4eu_federation
+popd
+rm -rf satosa-openid4vci
+pushd ../dc4eu_federation/flask_wallet
+mv templates templates.orig
+mv templates_simplified templates
+mv conf_simplified.json conf.json
+#mv views_simplified.py views.py
+popd
 docker build -t fedservice -f ./fedservice.Dockerfile .. --no-cache

docker/docker-compose.yml

@@ -5,11 +5,10 @@ services:
     ports:
       - "5001:5001"
     environment:
-      FEDSERVICE_ENTITYID: https://example.com:5001
+      FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:5001
       FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem
-      FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem
-      FEDSERVICE_WEBCERT_CERT: /certs/cert.pem
-      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem
+      FEDSERVICE_SECRET_KEY: A2345678909987654321
       FEDSERVICE_DEBUG: true
       FEDSERVICE_PORT: 5001
       FEDSERVICE_BIND: 0.0.0.0
@@ -22,11 +21,10 @@ services:
     ports:
       - "6001:6001"
     environment:
-      FEDSERVICE_ENTITYID: https://example.com:6001
+      FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:6001
       FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem
-      FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem
-      FEDSERVICE_WEBCERT_CERT: /certs/cert.pem
-      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem
+      FEDSERVICE_SECRET_KEY: B2345678909987654321
       FEDSERVICE_DEBUG: true
       FEDSERVICE_PORT: 6001
       FEDSERVICE_BIND: 0.0.0.0
@@ -39,31 +37,30 @@ services:
     ports:
       - "7001:7001"
     environment:
-      FEDSERVICE_ENTITYID: https://example.com:7001
+      FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:7001
       FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem
-      FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem
-      FEDSERVICE_WEBCERT_CERT: /certs/cert.pem
-      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem
+      FEDSERVICE_SECRET_KEY: C12345678909987654321
       FEDSERVICE_DEBUG: true
       FEDSERVICE_PORT: 7001
       FEDSERVICE_BIND: 0.0.0.0
     volumes:
     - ./trust_anchor:/trust_anchor:rw
     - ./certificates:/certs:ro
-#  flask_wallet:
-#    image: fedservice
-#    command: "flask_wallet"
-#    ports:
-#      - "5005:5005"
-#    environment:
-#      FEDSERVICE_ENTITYID: https://example.com:5005
-#      FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem
-#      FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem
-#      FEDSERVICE_SECRET_KEY: 12345678909987654321
-#      FEDSERVICE_DEBUG: true
-#      FEDSERVICE_PORT: 5005
-#      FEDSERVICE_BIND: 0.0.0.0
-#    volumes:
-#    - ./flask_wallet:/flask_wallet:rw
-#    - ./certificates:/certs:ro
+  flask_wallet:
+    image: fedservice
+    command: "flask_wallet"
+    ports:
+      - "5005:5005"
+    environment:
+      FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:5005
+      FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem
+      FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem
+      FEDSERVICE_SECRET_KEY: D12345678909987654321
+      FEDSERVICE_DEBUG: true
+      FEDSERVICE_PORT: 5005
+      FEDSERVICE_BIND: 0.0.0.0
+    volumes:
+    - ./flask_wallet:/flask_wallet:rw
+    - ./certificates:/certs:ro
 

docker/fedservice.Dockerfile

@@ -8,7 +8,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libffi-dev \
     libssl-dev \
     xmlsec1 \
-    libyaml-dev
+    libyaml-dev \
+    jq
 RUN pip3 install --upgrade pip setuptools
 COPY . /fedservice
 RUN pip3 install -r fedservice/docker/requirements.docker

docker/requirements.docker

@@ -1,4 +1,4 @@
--e git+https://github.com/IdentityPython/idpy-oidc.git@issuer_metadata#egg=idpyoidc
--e git+https://github.com/rohe/openid4v.git#egg=openid4v
--e git+https://github.com/rohe/idpy-sdjwt.git#egg=idpysdjwt
+git+https://github.com/IdentityPython/idpy-oidc.git@issuer_metadata#egg=idpyoidc
+git+https://github.com/SUNET/openid4v.git#egg=openid4v
+git+https://github.com/SUNET/idpy-sdjwt.git#egg=idpysdjwt
 flask

docker/start.sh

@@ -1,13 +1,17 @@
 #!/bin/bash
+set -eo pipefail
 
 for file in conf.json views.py; do
-	if [ ! -f /"${1}"/"${file}" ]; then
-		echo "No ${file} found, copying to /${1}/"
-		cp /fedservice/dc4eu_federation/"${1}"/"${file}" /"${1}"/
-	else
-		echo "${file} found, leaving alone. Beware when upgrading."
-
-	fi
+    if [ -f /"${1}"/"${file}" ]; then
+        echo "${file} found, leaving alone. Beware when upgrading."
+        continue
+    fi
+    echo "No ${file} found, copying to /${1}/"
+    if [ $file = conf.json ]; then
+        jq --arg a "$FEDSERVICE_ENTITYID" ' .entity.entity_id = $a' /fedservice/dc4eu_federation/"${1}/${file}" > "${1}/${file}"
+    else
+        cp /fedservice/dc4eu_federation/"${1}/${file}" /"${1}"/
+    fi
 done
-echo "Starting $@."
+echo "Starting ${1}."
 /fedservice/dc4eu_federation/entity.py "$@"